TopVuln

Details

CVSS v3

5.9

CVSS v4

8.2

NVD published

2026-02-04 15:16:14

EPSS

<0.1% probability · 3.2th percentile — 2026-03-16

Affected versions

cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r32:-:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r35:-:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r36:-:*:*:*:*:*:* cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*

Summary

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Remediation

Not available in our cache.

Exploit info

Not available in our cache.